Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 6, 2024, 10:13 a.m.	Aug. 6, 2024, 10:15 a.m.

Size	180.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`dbf56776aebe6a46a4098a24250aec57`
SHA256	`1af1edaf9241ef43663e0ca489a90c4a64ef0117e1ac62a7ff43f8567cf14750`
CRC32	`46C39807`
ssdeep	`3072:HGpnIuRoGhRLwTWdYs5/l9sgmW46Suo3ArAhH+15oPtWOoH6uPPr0C:HGpIgRsTIXsgmWl1oQUU5oPtW3a4`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

HxD.exe "C:\Users\test22\AppData\Local\Temp\HxD.exe"
1072

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	104.20.4.235

IP Address	Status	Action
104.20.3.235	Active	Moloch
147.45.44.138	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.44.138:8848 -> 192.168.56.103:49168	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49165 -> 104.20.3.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 104.20.3.235:443	C=US, O=Google Trust Services, CN=WR1	CN=pastebin.com	cc:0e:be:70:1b:67:5c:13:ea:80:6e:13:9c:74:c6:a7:8e:99:11:11

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2024, 10:06 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 10:06 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 6, 2024, 10:06 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://pastebin.com/raw/jDAt5ZME

Performs some HTTP requests (1 event)

request

GET https://pastebin.com/raw/jDAt5ZME

Allocates read-write-execute memory (usually to unpack itself) (41 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93efc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Yara rule detected in process memory (10 events)

description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: a5f37f2eb51df7caf15ae0eae060d1f0f2f10331

Communicates with host for which no DNS query was performed (1 event)

host

147.45.44.138

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 2164 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000200	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1072 manipulating memory of non-child process 2164
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 2164 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000200	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1072 injected into non-child 2164
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL=Z«fàê® @ `@X S µ @ H.text´é ê `.rsrcµ ì@@.reloc@ú@B base_address: 0x0000000000400000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1	0
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: P8h Ôt#A Ô4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.7.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.0.7.08Assembly Version1.0.7.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x0000000000412000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1	0
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: °9 base_address: 0x0000000000414000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1	0
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2164 process_handle: 0x0000000000000200	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1072 injected into non-child 2164
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL=Z«fàê® @ `@X S µ @ H.text´é ê `.rsrcµ ì@@.reloc@ú@B base_address: 0x0000000000400000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1072 resumed a thread in remote process 2164
NtResumeThread Aug. 6, 2024, 10:06 a.m.	thread_handle: 0x00000000000001f8 suspend_count: 1 process_identifier: 2164	1	0	0

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 6, 2024, 10:06 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1072	1	0
NtResumeThread Aug. 6, 2024, 10:06 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1072	1	0
NtResumeThread Aug. 6, 2024, 10:06 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 1072	1	0
CreateProcessInternalW Aug. 6, 2024, 10:06 a.m.	thread_identifier: 2168 thread_handle: 0x00000000000001f8 process_identifier: 2164 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000200	1	1
NtAllocateVirtualMemory Aug. 6, 2024, 10:06 a.m.	process_identifier: 2164 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000200	1	0
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL=Z«fàê® @ `@X S µ @ H.text´é ê `.rsrcµ ì@@.reloc@ú@B base_address: 0x0000000000400000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: base_address: 0x0000000000402000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: P8h Ôt#A Ô4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.7.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.0.7.08Assembly Version1.0.7.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x0000000000412000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: °9 base_address: 0x0000000000414000 process_identifier: 2164 process_handle: 0x0000000000000200	1	1
WriteProcessMemory Aug. 6, 2024, 10:06 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2164 process_handle: 0x0000000000000200	1	1
NtResumeThread Aug. 6, 2024, 10:06 a.m.	thread_handle: 0x00000000000001f8 suspend_count: 1 process_identifier: 2164	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Infected.ct
Cylance	Unsafe
VIPRE	Gen:Heur.MSIL.Krypt.6
Sangfor	Suspicious.Win32.Save.a
BitDefender	Gen:Heur.MSIL.Krypt.6
Cybereason	malicious.6aebe6
Arcabit	Trojan.MSIL.Krypt.6
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Injector.LOS
APEX	Malicious
McAfee	Artemis!DBF56776AEBE
Avast	FileRepMalware [Rat]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Trojan:MSIL/Injector.ceb6b2eb
MicroWorld-eScan	Gen:Heur.MSIL.Krypt.6
Rising	Malware.Obfus/MSIL@AI.92 (RDM.MSIL2:bn44hXW4gby1DF64PqXsKg)
Emsisoft	Gen:Heur.MSIL.Krypt.6 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.InjectNET.17
TrendMicro	Backdoor.Win32.ASYNCRAT.YXEHEZ
McAfeeD	Real Protect-LS!DBF56776AEBE
FireEye	Generic.mg.dbf56776aebe6a46
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.TR.Dropper
Google	Detected
Avira	TR/Dropper.Gen
MAX	malware (ai score=83)
Kingsoft	malware.kb.c.1000
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Heur.MSIL.Krypt.6
Varist	W32/MSIL_Troj.C.gen!Eldorado
AhnLab-V3	Malware/Win32.RL_Generic.C3997807
BitDefenderTheta	AI:Packer.892B100A1F
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.DiscoStealer.Heur
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.MSIL.Injector
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXEHEZ
Tencent	Win32.Trojan.Generic.Vmhl
huorong	Trojan/MSIL.Injector.fx
AVG	FileRepMalware [Rat]
Paloalto	generic.ml

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	147.45.44.138:8848
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49166

HxD.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All